The Ivanti Threat Thursday Update for September 28, 2017: Equifax, and Beyond…

Greetings. This week, a leading U.S. regulatory agency and a popular fast-food chain get breached, and a global study finds many enterprises may be misspending on cybersecurity. Got opinions, reactions, suggestions, or all of the above? Feel free to share, and thanks in advance.

Did You Hear? Sonic Drive-In Had Its Payment System Breached

As effects of the Equifax data breach continue to reverberate, including the retirement of the CEO and other senior executives, details of a significant breach at the Sonic Drive-In fast food chain have begun to emerge.

As KrebsOnSecurityreported, Sonic, “with nearly 3,600 locations across 45 U.S. states, has acknowledged a breach affecting an unknown number of store payment systems.” According to a statement from the company, when informed last week of “’unusual activity regarding credit cards,’” Sonic “’immediately engaged third-party forensic experts and law enforcement.’”

On Sept. 18, approximately five million credit and debit card accounts were offered for sale on “a credit card theft bazaar” known as “Joker’s Stash.” Two sources requested by KrebsOnSecurity to purchase accounts included in the offer found that “they all had been recently used at Sonic locations.” The attack may extend beyond Sonic. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”

If the Sonic breach mirrors the 2016 attack on the Wendy’s fast-food chain, effects could be both expensive and persistent. “The Wendy’s breach was extremely costly for card-issuing banks and credit unions, which were forced to continuously re-issue customer cards that kept getting re-compromised every time their customers went back to eat at another Wendy’s.” The problem was amplified because most Wendy’s outlets “were not corporate-owned but instead independently-owned franchises whose payment card systems were managed by third-party point-of-sale vendors. According to Sonic’s Wikipedia page, roughly 90 percent of Sonic locations across America are franchised.”

What We Say: Hackers’ techniques and technologies are growing in sophistication. Increasingly, those techniques and technologies target smaller affiliates of larger organizations, as those smaller organizations tend to have less comprehensive cybersecurity measures in place. Fortunately, consistent implementation of relatively basic defenses can improve security at even the smallest and most remote members of your enterprise’s value chain. To achieve and maintain defense in depth at your enterprise, make sure you’ve got basic cybersecurity measures in place and well enforced across your entire extended environment. (See “Your Threats Are Evolving. Are Your Defenses?”)

U.S. Securities and Exchange Commission Head Admits Significant Breaches

On September 20, SEC chairman Jay Clayton released an eight-page statement on cybersecurity. Included in that statement was disclosure of a breach at the agency, which, according to its web site, “oversees the key participants in the securities world, including securities exchanges, securities brokers and dealers, investment advisors, and mutual funds.”

As reported by the Washington Post, followed the September 20 statement with testimony before the Senate Banking Committee. “Clayton said he didn’t become aware of a 2016 security breach until last month when the issue emerged as part of a separate investigation. After he learned of the hack, Clayton said, he ordered an internal review. That’s when he discovered that the breach may have allowed hackers to make an illegal profit by trading stock, he said.”

The breached system, known as Edgar, receives “millions of documents a day,” and has been hacked before. “’We are under constant attack by nefarious actors,’ Clayton said during the [Banking Committee] hearing. ‘We must remain on top of evolving threats when it comes to securing our own networks and systems against intrusion.’”

“In the wake of the breach, the SEC is hiring additional personnel to aid in its cybersecurity efforts and starting a new cybersecurity unit, Clayton said. The agency’s Office of Inspector General and other officials are investigating the extent of the breach, including how much data may have been taken and how long hackers had access to the system, he said.”

What We Say: Where breaches and their remediation are concerned, every minute matters. The faster a successful attack can be identified, disabled, and quarantined, the more effectively its effects can be limited. To avoid delays in identification, disclosure, and remediation of breaches at your enterprise, make sure you have comprehensive discovery, inventory, application control, and protections that limit the spread of malware that gets past your defenses. (See “Infected by Ransomware—Now What?” and the webinar “Hacked!?! How Can I Fix This Fast?”)

Survey: Enterprises May be Spending More and Getting Less Cybersecurity

The 2017 Cost of Cyber Crime Study, “undertaken by the Ponemon Institute and jointly developed by Accenture,” is based on 2,182 interviews of decision-makers at 254 companies in seven countries. The study indicates that enterprises may be spending the largest chunks of their cybersecurity budgets on the least effective solutions.

The study, published after the Equifax breach, finds cybersecurity to be a growth industry, for hackers and enterprise defenders alike. The average number of breaches per company per year increased 27 percent, from 102 in 2016 to 130 in 2017.

The study considers “the total costs organizations incur when responding to cyber crime incidents.” These include “the costs to detect, recover, investigate and manage the incident response.” The study also includes “the costs that result in after-the-fact activities and efforts to contain additional costs from business disruption and the loss of customers.” The survey found that those costs average out to US$11.7 million per company in 2017, a one-year increase of 22.7 percent.

“Of the nine security technologies evaluated, the highest percentage spend was on advanced perimeter controls. Yet, the cost savings associated with technologies in this area were only fifth in the overall ranking.”

“Innovations are generating the highest returns on investment, yet investment in them is low. For example, two enabling security technology areas identified as “Extensive use of cyber analytics and User Behavior Analytics (UBA)” and “Automation, orchestration and machine learning” were the lowest ranked technologies for enterprise-wide deployment (32 percent and 28 percent respectively) and yet they provide the third and fourth highest cost savings for security technologies.”

Not all the news unearthed by the study is bad. “Security intelligence systems (67 percent) and advanced identity and access governance (63 percent) are the top two most widely deployed enabling security technologies across the enterprise. They also deliver the highest positive value gap with organizational cost savings of US$2.8 million and US$2.4 million respectively.”

The study recommends three steps every enterprise can take to improve its cybersecurity. Enterprise decision-makers should build that cybersecurity on “a strong foundation” of “brilliant basics” such as security intelligence and access management, conduct “extreme pressure testing” of their chosen measures, and invest in “breakthrough innovation.”

All of these solutions can help you to modernize your environment and improve your cybersecurity, for maximum protection with minimal disruption. Check them out online. Then, let’s talk. (And do please keep reading and sharing our Patch Tuesday and Threat Thursday updates.)